Privacy Policy

LAST UPDATE: August 9, 2023

Eforto’s mission is to allow adults to evaluate and track changes in their physical fitness, vitality, general health, and wellness over time; as such making healthcare more personal, proactive, accessible, affordable and equitable. We do this by providing services that allow you and your healthcare provider to collect high quality and relevant medical data no matter where you are and, if needed, for long periods of time.

Everything we do with that data, described in this document, is intended to support that (and only that) mission.

How to Use this Document

This Privacy Policy concerns the use of any Eforto® device, application and service. Below, we simply refer to “Eforto® services”.

This Privacy Policy applies to adults who use the Eforto® device and accompanying applications in any setting, e.g. at home, in a wellness or fitness center (END-USER). It also applies to professional users, such as healthcare providers supporting end users in using the Eforto® Device and accompanying applications, and researchers using an Eforto® application or service (PRO-USER).

• END-USERS are indicated with a  in the text.
• PRO-USERS are indicated with a  in the text.

Privacy policies can be dense legal documents. We try to keep ours as straightforward and transparent as possible. If you have any questions or comments, please contact us.

Summary

What data do we collect?

When you use an Eforto® service, three types of data can be collected:

• Personal data you share directly with us, for instance your contact information to provide technical support or register for an account.
   & 
• Health-related information as recorded by an Eforto® service.
  
• Health & demographics data as accessible via an electronic medical record (EMR) system and as approved by your healthcare provider or participation in a research study.
  

How do we use your data?

• The collected data is used to provide our services. These services will be clearly explained when you enroll in an Eforto® service.
• As the, you always remain the owner of your data unless specified otherwise by your healthcare provider or study coordinator (see "What if I participate in or run a clinical or research study" for more information).

When and how do we share your data?

Eforto® does not sell, rent, lease, give away, disclose, or share your data without your explicit consent. The only situation where consent can be requested to share your data with a 3rd party, are clinical or research studies conducted in collaboration with a clinical or research partner (see "What if I participate in or run a clinical or research study" for more information).

Your right to control what happens with your data

UniWeb is a GDPR and HIPAA compliant company. This means that we are committed to

• protecting your privacy,
• conducting our business in a transparent manner,
• and making sure that you have full control over what happens with your data () or the data a professional user () is authorized to collect.

More information is available here:

• European General Data Privacy Regulation (GDPR)
• US Health Insurance Portability and Accountability Act (HIPAA)
• Eforto® Data Security Policy
• Your Data Rights (this document)

What if I participate in or run a clinical or research study?

•  | It is possible that you were recruited to participate in a clinical or research study by us or one of our partners. In that case, you will have received an informed consent form that explains what data will be collected as part of the study and how it will be used. All studies Eforto® participates in or conducts follow the World Medical Association Declaration of Helsinki guidelines on medical research involving human subjects. Participating in a study that uses Eforto® services in no way changes our commitment to safeguarding your privacy and data rights.
•  | If you use Eforto® services to conduct a study, we will have signed a Data Processing Agreement (DPA) with you or your institution.
  
  

Section 1 - What Data do we Collect?

When you use an Eforto® service, we collect data relating to you and your use of our services from a variety of sources.

Data we collect directly from you

1. Physiologic and Behavioral Data: Eforto® services are intended to record health-related data, more specifically physiologic* and behavioral** data. Some of this data is processed into vital signs and other health-related measures to assist your healthcare provider () in providing you () with appropriate information and care. This data is transmitted to a Eforto® managed server (Eforto® Cloud) hosted on secure and privacy-regulation compliant providers. For EU users, all data is stored on EU-based servers. For US users, data is stored on EU or US-based servers.
   *Physiologic Data: Eforto® services can record various physiologic variables, such as but not limited to, grip strength, muscle fatigability and self-perceived fatigue. Once that raw data is securely transmitted to the Eforto® Cloud, it can be automatically processed to derive other health-related digital measures.
   **Behavioral Data: Eforto® services can record inertial signals which reflect movement of a wearable device (and thus the wearer of the sensor). Once that raw data is securely transmitted to the Eforto® Cloud, it can be automatically processed to derive motion and behavioral measurements, such as but not limited to activity levels, step counts, and sleep-wake patterns.
2. Other Intentionally Shared Data: We may collect your personal or health-related information if you submit it to us in other contexts. For example, if you complete a survey included in an Eforto® service. We take care to limit the collection of this data to what is required to assist your healthcare provider in administering high quality care. Note that in some cases this data may be requested via a free text field. It is important to never disclose personal information yourself () or from the person your are supporting in using an Eforto® service () unless you are comfortable and legally-allowed to share this data.
   ALTHOUGH WE TAKE ALL REASONABLE MEASURES TO SECURE YOUR DATA, EFORTO® CANNOT BE HELD RESPONSIBLE FOR ANY PERSONALLY IDENTIFIABLE INFORMATION (PII) SUBMITTED VOLUNTARILY AND UNSOLICITED BY THE USER THROUGH A EFORTO® SERVICE.
3. Account Registration Information: You may need an Eforto® account to use certain Eforto® services ( and ). When you register voluntarily for an account, we collect your email address which may also disclose your name.
4. Billing Information: If you make a payment to Eforto®, we need your billing details, such as a name, address, company, phone number, VAT number, email address and other relevant contact details ( and ).

Data we collect about you indirectly or passively when you interact with us

1. Usage Data: We collect usage data about you whenever you interact with an Eforto® service. This may include log-in attempts, what you click on, when you performed certain actions, and so on. Additionally, like most websites and applications today, our servers keep log files that record data each time a device accesses those servers. The log files contain data about the nature of each access, including originating IP addresses, internet service providers, the files viewed, operating system versions, and timestamps.
2. Device Data: We collect data from the devices (including the Eforto® Device) and applications you use to access our services, such as your IP address, relevant device and experiment identifiers, operating system version, device type, system and performance data, and browser type. We may also infer your geographic location based on your IP address. Some of our devices are capable of setting up a remote connection to Eforto® servers which may expose more of the device’s surroundings (e.g. networks). Retrieving this data is only possible with explicit consent for each request.

Section 2 - How do we Use your Data?

This section describes what we do with the collected data and why, and how it is managed during its lifetime. Importantly,

EFORTO® SERVICES ARE NOT A MEDICAL DEVICE. EFORTO® DOES NOT MAKE ANY DIAGNOSTIC OR PROGNOSTIC CLAIMS NOR IS EFORTO® RESPONSIBLE FOR ANY DIAGNOSTIC OR PROGNOSTIC CLAIMS BASED ON PERMITTED USAGE OF OUR DEVICES AND SERVICES.

To Manage Eforto® Services

• We process the data described in Section 1 in order to derive relevant health insights. These data and insights are shared with professional users () and, in certain cases, with  to provide you with your health data.
• This data is never sold, rented, leased, given away, disclosed, or shared without your explicit consent.
• This data is never aggregated unless you have given explicit consent as part of your participation in a clinical study.
• You ( and ) may choose to export data from our services to 3rd party applications or websites. We do not own or operate these applications or websites. You are responsible for reviewing the privacy policies and statements of such applications or websites to ensure you are comfortable with the ways in which they use the data you share with them.

Furthermore, we may use your data for the following limited purposes:

1. To monitor, maintain, and improve our services and features: We perform statistical and other analysis on data we collect to analyze and measure user behavior and trends, to understand how people use our services, and to monitor, troubleshoot and improve our services, including to help us evaluate or develop new features. We may use your data for internal purposes designed to keep our services secure and operational, such as for troubleshooting and testing purposes, and for service improvement, marketing, research, and development purposes.
2. To enforce our Terms of Service
3. To respond to legal requests or prevent harm: If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to respond and prevent potentially illegal activities.
4. To create new services, features, or content.
5. To contact you about your service or account: We can occasionally send you communications of a transactional nature (e.g. service-related announcements, billing-related matters, changes to our services or policies, a welcome email when you first register).

Customer Support

In case you experience an issue with an Eforto® service or have a question, we may need to access your data to assist you.

We are committed to handling your personal information and data with integrity and care. However, regardless of the security protections and precautions we undertake, there is always a risk that your personal data may be viewed and used by unauthorized 3rd parties as a result of collecting and transmitting your data through the internet. If you have any questions about the security of your personal data, please contact us.

Section 3 - When and How do we Share your Data?

Eforto® does not sell, rent, lease, give away, disclose, or share data without explicit consent. In one common scenario, consent can be requested to share your data:

• To allow (a subset of) your data to be shared with researchers running a research or clinical study, typically with the intention to improve the standard of care.
  In this case, either Eforto® or a 3rd party will provide an informed consent form (ICF) that clearly explains what you () are giving consent for and under which circumstances you can withdraw that consent. If a healthcare provider stores data collected by an Eforto® service on one of their services (e.g. an electronic medical record system), that usage of the data is a contract between you () and them (). Please refer to the privacy policy of the healthcare provider for more information.

Service Providers

We use service providers to run certain Eforto® services. We may give authorized persons working for some of these providers access to your data, but only to the extent necessary for them to perform their services for us. We also implement reasonable contractual and technical protections to ensure the confidentiality of your personal information and data is maintained, used only for the provision of their services to us, and handled in accordance with this Privacy Policy. With our service providers, we have a business associate agreement (BAA) that stipulates their and our requirements to comply with GDPR and HIPAA regulations as explained above.

When Required or Permitted by Law

We may disclose your data as required or permitted by law, or when we believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, and/or to comply with a judicial proceeding, court order, subpoena, or other legal process served on us.

Change in Business Ownership or Structure

If ownership of all or substantially all of our business changes, or we undertake a corporate reorganization (including a merger or consolidation) or any other action or transfer between Eforto® entities, you expressly consent to Eforto® transferring your data to the new owner or successor entity so that we can continue providing our services. If required, Eforto® will notify the applicable data protection agency in each jurisdiction of such a transfer in accordance with the notification procedures under applicable data protection laws.

Section 4 - Consent

	Any medical or research usage of your data will be clearly explained in an ICF as discussed in Section 3.
&	In addition, when you provide us with personal information to register and use an Eforto® service, complete a transaction, arrange for a delivery or return, or request support, we assume that you consent to us processing and using that information for that specific reason only.
&	If we ask for your personal information for a secondary reason, like keeping you up-to-date on new service features, we will ask you directly for your consent.

If you change your mind after opting-in you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by contacting us directly.

Section 5 - Security

To protect your personal data, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed.

Please note that we handle any event that might impact the availability, confidentiality, or integrity of personal data as a data breach and will act in accordance with the applicable data protection regulations and other laws for all impacted individuals, including but not limited to the EU General Data Privacy Regulation (GDPR) and US Health Insurance Portability and Accountability Act (HIPAA).

In addition, we regularly perform Data Protection Impact Assessments (DPIAs) for existing and new Eforto® Services. A public summary DPIA can be accessed here and is regularly revised.

UniWeb BV, located at ‘s Herenweg 16, 1860 Meise, Belgium is the data controller and processor for all data we collect from users in the EU and US.

Eforto® Cloud is hosted on our internal servers (in a data center), and unless mentioned otherwise, these servers are located in Belgium (Zaventem). More details about our commitment to safeguarding your data can be found on the Our Commitment page.

Section 6 - Safety of Children

No Eforto® services can be used by persons under the age of 18.

Section 7 - Your Rights to Control What Happens to your Data

We implement the rights for individuals as stated in the GDPR worldwide, including:

• The right to be informed about how we collect and why we use the data
• The right to access and rectify your personal information
• The right to be forgotten
• The right to data portability
• The right to be notified if your personal information was in any way compromised

Note that participation in a clinical study may overrule some of these rights. If that is the case, you will be informed of this in the study’s informed consent form and you will need to give your express permission.

Specifically, you can:

1. Access and correct your personal information: As a user of an Eforto® service, you may access and correct certain personal information that Eforto® holds about you. In all cases, requests to exercise these rights may be directed to our customer support team.
2. Delete your data: Deleting data will not permanently remove it immediately. As long as you keep using an Eforto® service, we may retain your deleted data for a limited time in case you deleted something by accident and need to restore it (which you can request by contacting the customer support team). To the extent permitted by law, we will permanently delete your data if you instruct us to do so, in which case you will not be able to use any Eforto® services that require an account, until you make a new account.
3. Cancel your account: To cancel and delete your account, please contact our customer support team. We will respond to any such request, and any appropriate request to access, correct, update, or delete your personal data within the time period specified by law (if applicable) or without excessive delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible or such data is required to be retained by law (in which case we will block access to such data, if required by law).
4. Take your data elsewhere: Taking into account that Eforto® services provide data in a structured, commonly used and machine-readable format, you ( & ) as a user of our products and services, already have the right to transmit those data to another company’s application or service if desired.

Section 8 - How Long do we Retain your Data?

We generally retain your data for as long as you use any of the Eforto® services or have an account with us, or to comply with our legal obligations (which may include local laws governing the storage of medical data), resolve disputes, or enforce our agreements. Data that is deleted from our servers may remain as residual copies on offsite backup media for up to 6 months.

Section 9 - Changes to this Privacy Policy

We may modify this Privacy Policy at any time, but if we do, we will notify you. If we determine the changes are material, we will provide you with an additional prominent notice as is appropriate under the circumstances, such as via email or in another conspicuous manner reasonably designed to notify you. If, after being informed of these changes, you continue to use our services beyond the advance-notice period, you will be considered as having expressly consented to the changes in our Privacy Policy (this document). If you disagree with the terms of this Privacy Policy or any updated Privacy Policy, you may close your account at any time by contacting us.

Copyright © 2023 UniWeb BV